Researchers: Poor password practices hurt security for all

Passwords cracked at weak sites might be used at sites with better practices

A large-scale study of password-protected Web sites revealed a lack of standards across the industry that harms end-user security, according to two researchers working at the University of Cambridge in England.

In particular, the weak implementations of password-based authentication at lower-security sites compromises the protections offered at higher-security sites because individuals often re-use passwords, Joseph Bonneau and Soren Preibusch asserted in a paper presented at the Workshop on the Economics of Information Security in Cambridge, Massachusetts, Monday.

Attackers can use low-security Web sites such as news outlets to figure out passwords associated with certain e-mail addresses, and then use those passwords to access accounts at higher-security sites such as e-commerce vendors, Bonneau said.

In an effort that the researchers said is the largest empirical investigation into password implementations to date, they collected data from 150 web sites and found widespread "questionable design choices, inconsistencies, and indisputable mistakes," according to Bonneau and Preibusch.

The researchers seemed disinclined to blame users for re-using passwords or making them easy to guess, arguing that most users have too many online accounts to manage them all securely.

"Sites' decisions to collect passwords can be viewed as a tragedy of the commons, with competing Web sites collectively depleting users' capacity to remember secure passwords," they wrote.

The large majority -- 78 percent -- of sites examined failed to provide users with feedback or advice on choosing a strong password. Only five sites let the user register password hints, a strategy that will encourage users to come up with stronger passwords. Just seven sites required users to mix numbers and letters, and only two demanded that passwords include non-alphanumeric characters as well.

Bonneau and Preibusch also identified widespread weaknesses in how passwords are submitted to the server when users log in. Only three sites used techniques that prevent the server from receiving a user's cleartext password at login, although two of those collected cleartext passwords at enrollment.

Most of the sites, 126 in all, seemed to allow unlimited attempts to guess a password; the researchers used a script that attempted incorrect guesses 100 times, after which a person typing in the correct password was able to log in successfully. This indicates that most sites don't bother to protect against guessing attacks, they said.

Overall, recognized best practices in password security are widely ignored, Bonneau and Preibusch said. Well over half the sites failed to use TLS (transport layer security) to protect password transmission at every stage -- some used it at enrollment but not at the login or update point, for example.

In what Bonneau called the "worst practice in the industry", 29 percent of sites tested e-mailed users cleartext passwords. In addition, 83 percent allowed unrestricted probing for user membership, and 84 percent permitted unrestricted password guessing.

The sites whose owners are the worst offenders are content sites as newspaper Web sites which don't tend to store sensitive user information, the researchers said. Conversely, sites that store payment details had significantly stronger security practices, the researchers said.

So why do so many sites collect passwords when the practice is generally harmful when poorly implemented? Those sites with poor password practices also seem to be those with an interest in collecting e-mail and personal data about their users.

While broader adoption of delegated protocols such as OpenID would help, Bonneau and Preibusch are pessimistic that the market will support such solutions at the cost of these opportunities to collect user information.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags passwords

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Elizabeth Heichler

IDG News Service
Show Comments

Cool Tech

Toys for Boys

Family Friendly

Stocking Stuffer

SmartLens - Clip on Phone Camera Lens Set of 3

Learn more >

Christmas Gift Guide

Click for more ›

Brand Post

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Aysha Strobbe

Microsoft Office 365/HP Spectre x360

Microsoft Office continues to make a student’s life that little bit easier by offering reliable, easy to use, time-saving functionality, while continuing to develop new features that further enhance what is already a formidable collection of applications

Michael Hargreaves

Microsoft Office 365/Dell XPS 15 2-in-1

I’d recommend a Dell XPS 15 2-in-1 and the new Windows 10 to anyone who needs to get serious work done (before you kick back on your couch with your favourite Netflix show.)

Maryellen Rose George

Brother PT-P750W

It’s useful for office tasks as well as pragmatic labelling of equipment and storage – just don’t get too excited and label everything in sight!

Cathy Giles

Brother MFC-L8900CDW

The Brother MFC-L8900CDW is an absolute stand out. I struggle to fault it.

Luke Hill

MSI GT75 TITAN

I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Featured Content

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?